Electronic voting systems and the associated electronic voting records have many advantages over traditional voting systems. Unfortunately, the integrity of electronic voting systems can be compromised, rendering these records less reliable in terms of integrity and ultimately trust on the part of the voter. This lack of reliability complicates efforts to demonstrate control of files and processes in the event of legal proceedings.
There are two obvious opportunities for fraud in connection with electronic voting. The first is with the electronic vote record (EVR). Since EVRs are digital records, they are subject to alteration. In other words, after a voter submits a vote and an EVR is created, that EVR can be fraudulently altered prior to the counting of votes. The second opportunity for fraud in connection with electronic voting is with the voting software itself The software can be altered to create an EVR that contains a vote for a candidate different than the candidate selected by the voter.
Currently “Data Record Electronic” (DRE) systems have a number of internal security features and procedures to deter, or prevent, elicit tampering with the software, firmware, or hardware itself Hereinafter, DRE is used to denote a system used for implementing an electronic voting process. Given the complexity of these systems over their conventional predecessors, and the number of individuals and firm(s) involved in the manufacturing and development of these systems, the systems are left vulnerable to “insider” attack, as well as outsider attack from individuals that possess a moderate level of skill in the computer sciences. There are also other issues that leave these systems vulnerable to outsider attack. Vendors of these systems, though, typically resolve these issues in successive version releases since they realize that voter trust is critical in the acceptance of this relatively new voting method. Eliminating (or at least substantially reducing) voter suspicion in connection with electronic voting systems is fundamental to widespread adoption.
There are currently 4 leading vendors of DRE Voting Systems that are in official use today. Hereinafter, these vendors are referred to as Vendor 1, Vendor 2, Vendor 3, and Vendor 4, respectively. In the case of DRE Voting systems, current security features are illustrated by these four leading vendors' configurations. All of the summarized features are intended to prevent tampering, however none of these features validate the authenticity of data records, or software prior to, during, and after the voting event, to determine if tampering has occurred (or more appropriately, to prove that tampering has not occurred). The methods that these systems employ do not escrow the data or software in a verifiable, legally defensible manner, with an independent auditing firm such as a law firm. The published security features for the vendor systems described below illustrate that the security and validation problems inherent with the DRE Voting Systems currently available. The following paragraphs are excerpts taken from a report published by the State of Ohio providing the results of their DRE selection process. The State of Ohio used the firm “Compuware” to conduct their analysis and provide the assessment report. These excerpts outline all the security features that the respective DRE vendors include on their systems.
Vendor 1: “Voter smart cards are used to allow access to the system. The votes are stored in a random order into separate vote buckets. The vote records are hashed in a random order to prevent determination of the vote order. A voter card controls voter access. The voter card is a smart card issued only from this vendor. Using a card reader to properly identify the precinct of the voter activates voter cards. The information on the voter card only allows the DRE to identify and present the proper ballot for the voter. Immediately after voting the card is disabled and ejected from the DRE and the voter is to return the card to the poll workers. The supervisor's access is limited with a Supervisor's card and a PIN must be entered. The PIN is set by DRE Vendor and is the same for all DREs of this type. The vendor stores ballot definitions and Cast Vote Records on the PCMCIA removable media. The Cast Vote Records are encrypted with a DES encryption package. This vendors system provides an audit log that can be printed out using a specific supervisor function. The audit log produces a report, serving as a paper trail to guard against fraud. This vendor's DRE management system uses the MS Access database to store ballot definition data and election results. There is a risk that an unauthorized person with access to the management system server can access the database and change ballot definition files and election results.”
Vendor 2: “The PEB uses a proprietary communication protocol to identify the voter's authorization. Several checks occur including the authenticity of the PEB. The ballot data is check summed and validated when read from the PEB. Votes are stored in binary format, in random memory buckets as each voter takes their turn. The randomness is partially seeded with the internal time clock. The Portable Electronic Ballot (PEB) is keyed to an election by using an internally generated ID that is unknown to anyone using the system. At insertion the PEB is immediately disabled from anyone else using it. There are separate PEBs that only allow administrative functions, which are also password protected. There is no use of encryption by this vendor on any of the data files. Data is not encrypted when being loaded into the voting unit. There are some safeguards such as the use of a binary format and the infrared communications that prevent an unauthorized access. The only way to gain supervisor rights to the DRE is by using a supervisor PEB for that specific election and by knowing the hard-coded passwords.”
Vendor 3: “The vote records are stored randomly in the storage media (Mobile Ballot Box (MBB), internal memory of the voting unit and Judges Booth Controller (JBC)). An appropriate algorithm is implemented in the code to store the data randomly and without time stamp. The source code for JBC generates unique access codes for a precinct. Voters use these codes to access the voting unit device and cast their votes. These access codes are valid only for a specified time (which is set in the BOSS system) and the voting unit does not accept these codes after that time has expired. Vote and audit information is stored in 3 places—MBB, internal memory, and JBC. In the event of a disaster, the SERVO software can re-create MBBs with data from either the JBC or eSlate devices. System alerts are given in case of errors during data transmission between eSlate units and JBC. No published encryption methodology is used in the system, but the data is stored in proprietary binary format. The voter is identified to the voting unit based on a four-digit PIN generated by the JBC. Communication between JBC and voting units uses RS485 protocol. The data transmitted between these units is not encrypted. After the polls are closed, the MBBs or eSlate units are physically transported to the computer(s) at a central location and are read by the tabulation management software to tally the results.”
Vendor 4: “CRC 16 algorithm has been implemented in the code to check for the correctness of the ballot image. Multiple read-write operations are implemented to make sure the data has not changed. This is done between each vote and power up. The vote records are stored in a random order in the results cartridge. A pseudo-random number generator (a 32-bit maximal length random sequence is seeded by the seconds portion of the internal clock) is implemented in the code. The smartcards used by voters are kept valid for a certain timeframe. Logic is implemented to deactivate the card by putting random data once it is used to enter a vote. Using the same card (without activation) gives a visual error message. Recorded Votes and audit logs are stored in redundant memories (the internal memory in the voting unit and the results cartridge). In case of data mismatch, a consolidation card can be created from WinEDS software and used to read results from the voting unit. The type of encryption used on the voter smart card is DES (Data Encryption Standard) signed with SHA-1 (Secure Hash Algorithm). The cryptographic key appears to be derived from the hard-coded seed 1024 (refer to EEPROM_SZ in file Edgemap.h). The vote records and ballot information are not encrypted. Cryptographic signatures for each of the totals data files (ballot images, selection code summary totals and candidate summary totals) are computed and stored in the voting unit and results cartridge. The voting system is not on a network. At the poll location, the results cartridge is inserted into the voting unit and the vote data and audit trail information is stored in the cartridge and internal memory. At close of polls, the results cartridges are physically transported to computer(s) at central location and are read by the WinEDS software to tally the results.”
Unfortunately, although current voting systems utilize technologies and processes to prevent attacks on the integrity of the respective voting systems; these systems fail to provide legally defensible proof of the authenticity and integrity of voting records. Moreover, the current systems do not provide any actionable intelligence if a breach in integrity were to occur. The prior art systems lack a means of creating a legally defensible record that will prove that: all vote records and software utilized in the voting process were not tampered with; or some vote records or software were tampered with (if this is the case). This proof must extend from the time that DRE software is certified and DRE systems are approved by an Independent Testing Authority, through to the time that the DRE systems are utilized in the election process, election results are tabulated, and any necessary recounts are implemented.
Thus, there is a long-felt need to provide a means to ensure that electronically cast votes are accurately counted and protected against alteration. Also, there is a long felt need to provide a means to ensure software used in electronic voting systems is protected from alteration from certification throughout the entire voting period.